Upload
vudang
View
221
Download
1
Embed Size (px)
Citation preview
IRI Data Protector Suite
IRI, The CoSort Company
Vendor Background
● Specializing in data management and data protection
● Innovator in data manipulation functionality and speed
● ⅞ products share 1 metadata and Eclipse GUI
● Privately owned since 1978
● Headquartered 1 hour southeast of Orlando, FL
● Resellers in more than 40 international cities
Selected IRI Data Masking CustomersMost IRI customers process and protect PII in databases, flat-files, or “big data” repositories, including Hadoop or NoSQL DBs. Others are building or testing applications. IRI’s data masking consultants and clients are mostly in healthcare and BFSI.
IRI Data Protector Suite
What FieldShield Does
● Connect and interact with multiple source and target repositories, on-prem or cloud
● Discover and classify sensitive data in DB, flat-file, and dark-data sources
● Secure fields with PII, PHI, etc. via 12 built-in masking function categories
● Address multiple protections and recipients in one job script, one I/O
● Apply protection rules across tables and preserve referential integrity
● Support conditional security, i.e. based on patterns, values, or ranges
● Specify protections and layouts in Eclipse GUI and portable 4GL job scripts
● Integrate with DB apps via ODBC and .NET and Java SDK for dynamic data masking
● Retain data realism (e.g. FPE and pseudonyms) for testing and outsourcing
● Operate concurrently in big data EGL, migration, sub-setting, and BI/analytic jobs
● Log job and system runtime detail to an XML audit file to verify compliance
● Within Voracity, support streaming input and Hadoop execution paradigms
IRI FieldShield
FieldShield Data Sources (Native)
Acucobol Vision Delimited MaxDB SQL Server
Altibase (FACT) Derby (WB) Mongo (WB) SQLite
ASN.1 TAP3 ESDS MF-ISAM Sybase ASA/E & IQ
BIRT DB (WB) Excel (WB) WF Var. Length Tibero (WB)
BIRT Hive (WB) ELF web logs MySQL Teradata (WB)
BIRT JDBC (WB) Fixed Oracle Text
BIRT POJO (WB) Heap / print Outlook (WB) UTF-8 & 16
C-ISAM HSQLDB (WB) PDF (WB) Variable Block
CLF web logs IDX 3, 4 & 8 PostgreSQL Variable Sequential
CSV Informix Powerpoint (WB) VSAM MVS (UniKix)
DB2 (UDB) Ingres Record Sequential Web Services (WB)
DB2 for i5/OS (WB) LDIF RTF (WB) Word (WB)
DB2 for z/OS (WB) Line Sequential SQL Anywhere XML
FACT: requires IRI Fast Extract (FACT)WB: requires IRI Workbench, the free Eclipse GUI for FieldShield, etc.
FieldShield Data Sources (Legacy)
Accessible via IRI partner (CONNX) J/ODBC drivers
Access D3 GA-Power 95, R91 K-ISAM Pathway RMS
Adabas Datacom Gemstone Knowledgeman PDS Reality/X
Advanced Pick Dataflex GENESIS KSDS PervasiveSQL RRDS
ALLBASE Db4o Gigabase Lotus Pick/Pick64+ SAP HANA
Alpha5 dBase H2 Manman PI-Open Sequoia
Amazon RDS Desktop Adapter IDMS Mentor / pro Powerflex Sharebase
Azure DL/1 IDS MO Powerhouse Supra
BizTalk DSM Image Model 204 Progress Terracotta
Cache Enscribe IMS Mumps QueryObject Total
Clipper Enterprise Adapter Interbase MyBase rBase Ultimate
Codasyl FileMaker Intersystems Netezza R83 UltPlus
CorVision Firebird ISM NonStop SQL Rdb Unidata
ConceptBase Focus Jasmine ObjectStore REALITY Universe
D-ISAM FoxPro JBase Paradox Red Brick VSAM VSE
FieldShield Data Sources (Modern)
Amazon EMR Hive FinancialForce Marketo Pivotal Greenplum
Apache Cassandra Force.com apps MongoDB Pivotal HD Hive
Apache Hadoop Hive Hortonworks Hive MS Dynamics CRM Salesforce.com
Cloudera CDH Hive Hubspot MS SQL Azure ServiceMAX
Cloudera Impala Lightning Connect Oracle Eloqua Spark SQL
Database.com MapR Hive Oracle Service Cloud Veeva CRM
Sensitive Data Discovery - Multiple Wizards
FieldShield (and all IRI software) includes PII discovery capability, which includes cross-source data identification and classification, string (literal or dictionary), pattern, and fuzzy-logic searches, statistical reporting, and automatic metadata creation. Fit-for-purpose GUI wizards deliver:
● DB and file classification, with rule matcher libraries
● DB profiling and E-R diagramming● Dark data discovery and structuring,
with metadata reporting● Flat-file statistical and value searching● Structured data metadata discovery and
definition
IRI FieldShield
Static Data Masking Functions (1-3 of 12)
Encryption & DecryptionCharacter Scrambling
● 3DES EBC & SSL● AES-128 & -256 CBC● AES-256 Format-Preserving● GPG (PGP-compatible) ● FIPS-compliant OpenSSL● Custom
● For ASCII data● Less secure● Reversible
Encoding & Decoding
● Converts binary to ASCII● Supports base64 & hex● Reversible
IRI FieldShield
● Random data generation● Random data selection● Non-reversible
Static Data Masking Functions (4-6 of 12)
Pseudonymization Redaction / Replacement
● Provides realistic names● Reversible lookup values● Non-reversible selection
● Partial/full-field masking● Conditional omission● Non-reversible
Randomization
IRI FieldShield
User’s field-level call
Static Data Masking Functions (7-12 of 12)
Hashing Expressions
● SHA-1 & 2 cryptographic● Returns hash of fieldstring● Use for integrity checking
● Mathematical operations● PCRE logic● Custom blurring
String Manipulations
● Find, replace, and add● Reposition and trim● Use INSTR information
#10 Blurring
Add random “noise” to numeric values and bucket quasi-identifiers
to generalize/anonymize them.
#11 Tokenization
DB-value substitute for PCI DSS
#12 Custom Function
IRI FieldShield
Query-Ready XML Audit LogIRI FieldShield
Re-ID Risk Determination
IRI FieldShield or Voracity
US HIPAA and FERPA regulations require that patient and student data sets used in research or marketing have a statistically certified “very small” chance of being re-identifiable.
● IRI risk scoring wizard produces re-ID probability scores in 3 modes
● Analyzes quasi-identifiers with multiple, peer-reviewed functions
● Detail and graphical output
Mongo MaskedIRI FieldShield
… and unmasked
Masking et al in Hadoop, TooIRI FieldShield in Voracity
Map once, deploy anywhere
IRI Dynamic Data Masking Options
Method Operation
ODBC Select / Update Apply protections with precision to any given column value(s) in qualifying row(s)
DB App Invocation Use .NET or Java SDK library functions or system-call job scripts on the fly
In-Situ Redaction User and SQL-specific full and partial column masking on query (Chakra Max)
Custom I/O Procedures Drive real-time application data directly to/from FieldShield jobs in memory
Real-Time Processing Hadoop Spark and Storm processing of dynamic input streams in Voracity
Encryption Key Management Options1. Passphrase (key string) embedded in script2. String as environment variable3. String in (securable) key file4. Multi-factor authentication via Towsend Security Alliance Key Manager
IRI FieldShield
Masking Complex XML (via Sonra Flexter pre-parsing, JSON next!)
IRI FieldShield
User Profiles
● Vertical industries and governmental agencies storing, processing, or outsourcing applications with sensitive data, such as:
○ Banks○ Census / Tax○ Defense
○ Health Care○ Insurance○ Schools
● Application, DB, and DW users handling sensitive data● CISOs, compliance teams, consultants, IT managers, and solution architects
IRI FieldShield
Use Cases
Tesco Bank/RBS UK○ Decrypt and re-encrypt fields in credit card migration and test files○ Generate and manage encryption and user ID keys○ Other projects protect 38,265 records per minute on Windows
Accenture Singapore○ Design and run encryption and masking jobs on Linux servers○ Secure PHI for the Ministry of Health Holdings (MOHH)’s Oracle DB○ Row sequencing and job audits
Medicx Media Solutions USA○ Encryption and hashing functions to PII and PHI in geo-medical
consumer health databases○ Exceeds HIPAA requirements in provisioning mScoresTM data
to digital and direct marketers
IRI FieldShield
Key DifferentiatorsDeveloper Support
○ Version controls○ Master data definition○ Secure key management○ Project management (teaming)○ SDK supports .NET and Java calls○ Source data and metadata discovery○ XML job logs and re-ID risk scoring
One-Stop-Shop
○ Extract, Transform, and Load (ETL)○ Data and DB migration○ Test data generation○ Advanced BI○ Reporting
Price Performance
○ The data-centric security tool with:➜ The most sources➜ The most protection functions➜ The most target file formats
○ Fastest standalone protection software
Ease-of-Use
○ Familiar Eclipse GUI○ Self-documenting 4GL syntax○ Easy management and modification
of jobs/metadata
IRI FieldShield
Competitive Advantagesvs. IBM
○ FieldShield scripts simpler than Optim interoperability model and Javascript options
○ Seamless integration with more sources○ More functions○ Lower cost
vs. Informatica○ FieldShield DDM inclusive with product
(compared to Informatica’s upgrade)○ More protection functions○ Integration with Eclipse and Excel○ Access to 4GL scripts○ Lower cost
vs. CA (Grid-Tools)○ FieldShield’s CoSort engine is faster than
Grid-Tool’s Fast Data Masking○ Tight integration with data profiling, ETL,
data quality, and BI operations○ Multi-target/format options○ Lower cost○ Built-in re-ID risk determination wizard
vs. GRT○ FieldShield has more masking and
encryption functions○ Hash, decode, and pseudonymize
functions○ Faster and more extensible in the IRI
Workbench IDE○ Lower cost
IRI FieldShield
IRI Data Protector Suite
What CellShield Does
● Discover, report, and mask PII and perform audit actions in Excel 2010 & 2013
● Search & secure spreadsheets (and other dark data) throughout a LAN
● Provide common and allow new search pattern definitions for PII formats
● Search for strings in a dictionary, and find/fix PII floating in cells
● Support reuse and sharing of patterns in project or cloud repositories
● Generate a report of all patterns found and open it for action in a worksheet
● Open applicable worksheets and highlight the located ranges for protection
● Click to encrypt, mask, or pseudonymize with supplied functions and options
● Reveal data with the decryption key, or if reversible pseudonym was used
● Overlay results directly into the affected cells or in another worksheet
● Move between or bulk-remediate all identified worksheets and ranges
● Auto-insert protection details into an un-editable audit column in the report
IRI CellShield
CellShield PII DiscoveryThe dark data profiling wizard in the IRI Workbench searches network-wide for sensitive data in spreadsheets based on user-specified (plus popular and saved) Java regular expressions (patterns):
IRI CellShield
CellShield ReportingThe report produced by the profiling wizard opens in a dynamic worksheet supported by an action dialog for protection and auditing activities
IRI CellShield
CellShield ProtectionPerform point-and-click encryption and decryption, masking (full or partial cell), or pseudonymization (reversible and nonreversible) of the applicable ranges within the spreadsheets in the report:
IRI CellShield
CellShield Intra-Cell Search & MaskFeature finds and fixes floating PII, ad hoc, or en masse
IRI CellShield
CellShield AuditingAn uneditable log entry for the protection applied to each pattern identified in the report is automatically appended on each action:
IRI CellShield
IRI Data Protector Suite
What RowGen Does● Create synthetic but realistic random and random-real test data simultaneously
● Improve DB prototypes, application quality, benchmarking, and outsourced operations
● Use standard DB DDL, production file, and custom metadata to define layouts
● Preserve structural and referential integrity of real EDW DBs for testing
● Produce data in any types, structure, volumes, value ranges, and if condition
● Synthesize composite data values and custom (master) data formats
● Generate computationally valid and invalid NID (Codice Fiscale, etc.) SSNs, and CCNs
● Set and graph test data value distributions (linear, normal, random, etc.)
● Apply common attribute rules (like lookups) rules for pattern-matched field names
● Filter, transform, and pre-sort test data while it’s being generated
● Write loader metadata and perform direct path loads for test DB populations
● Build test flat-file and custom/structured detail and summary report targets
● Subset and mask databases automatically for test purposes
● Provide SDK functions for generating test data in Java apps and Hadoop
IRI RowGen
Use Existing Data Models and Metadata
Build Test Data for:○ CoSort○ DataStage○ DB2○ Hadoop○ Informatica○ NoSQL DBs○ Oracle○ SQL Server○ Sybase○ Teradata○ CSV○ XML○ LDIF○ COBOL
IRI RowGen
DB Subsetting with the Masking Option
IRI RowGen
RowGen’s subsetting and test data generation wizards facilitate DB and EDW prototyping. Smaller, referentially-correct copies of larger table extracts ensure production data is safe and test data is realistic. Masking secures the sensitive information in them.
User ProfilesAnyone doing DB testing, app development, stress-testing, or benchmarking, including:
○ Developers (programmers)○ DBAs and DW (ETL) architects○ Analysts and consultants
Use CasesBank of Montreal
○ Generates safe, realistic 20GB Oracles tables with RI for query testing
MasterCard Peru
○ Synthesizes PAN and PII in files to support OLTP and app testing
Transitive UK
○ Simultaneously creates and transforms data to test cross-OS virtualization
IRI RowGen
Key Differentiators
1. Big data generation and population performance
(embedded CoSort pre-sorting engine speeds bulk loads)
2. Synthetic data that’s broader and safer than real data
3. Concurrent test data manipulation and reporting
4. Familiar Eclipse IDE and simple, portable, modifiable test data
generation and auto-built DB loader scripts
5. Metadata compatibility with IRI DM
(and third-party ETL, BI, etc. platforms via AMM/MIMB)
IRI RowGen
IRI Data Protector Suite
What Chakra Max Does
● High-volume, data-centric audit and protection (DCAP) for 20 different databases
● Monitor, block, alert, and log users and traffic in real-time without impacting
DB performance or availability
● Control DB access and permissible SQL executions by user and rule
● Mask data dynamically with full or partial field value redaction
● Apply policies across multiple DB instances at once
● PII access logging
● ISO 27001-compliant activity reporting and log analysis
● Uses a 3-tier Web Application Server (WAS) agent to collect packets between the client
and DB, and it monitors and controls them
IRI Chakra Max
Chakra Max Overview
IRI Chakra Max
Real-Time Monitoring & Auditing
IRI Chakra Max
Dynamic Data Masking
IRI Chakra Max
User Profiles
IRI Chakra Max
Use CasesHankook Performance Tires
○ Chose Chakra Max’s for scalability and low-impact on performance
LG U+○ Secures access to PII in customer DBs across mobile services network
University of Maryland Medical Center
○ Uses DDM and secure audit log facilities for PHI protectionand compliance verification
● Anyone with databases containing PAN, PII, PHI, or other sensitive information● Companies needing a standard multi-source DCAP solution● Businesses requiring central and differential control over DB access● Anyone needing real-time DB monitoring and alerting
○ Internal and data privacy law compliance○ Powerful and flexible auditing facilities for
both real-time alerts and logging and forensic investigation of the logs
○ Complete audit history○ Automatic backups○ Post-deletion restore capabilities
Key Differentiators
IRI Chakra Max
Performance
○ Most stable and best-performingDCAP solution for high-trafficvolume environments
○ Firewall thousands of DBs at once○ 100k SQL/second monitor speed○ 10k-25k SQL/second audit speed○ Low-impact
Capability
○ User-level access and execution privileges ○ DDM without changing original DB content○ Monitors all login attempts, transaction
commands, and results sets○ Real-time logging○ Automated reports○ 40 formats for printing○ 14 formats for saving
Interoperability
○ Support for 20 different DBs on Linux, Unix, and Windows platforms
○ Extensible with IRI Voracity➨ Discount for bundled purchase➨ Enables all-in-one data discovery,
integration, migration,governance, and analytics
Compliance
Learn and ShareIRI.com IRI blog
LinkedIn Data Masking & Protection GroupLinkedIn Test Data Management Group